Products.Five: browser.view directive ignores access control directives.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Fix Released
|
High
|
Hanno Schlichting |
Bug Description
The following zcml should protect the listed page with the zope2.Private permission (e.g. not viewable at all from the web):
<configure
xmlns="http://
xmlns:
<browser:view
name="foo"
for="*"
class=
permissio
>
<browser:page name="bar attribute="bar" />
</browser:view>
</configure>
However, the @@foo/bar page is perfectly accessible, because the Products.
There is in fact no way to protect a view (and the associated pages) from anonymous access with ZCML. The allowed_interface and allowed_attributes are similarly ignored.
Workaround: use old-style security=
visibility: | private → public |
Changed in zope2: | |
assignee: | nobody → Hanno Schlichting (hannosch) |
milestone: | none → 2.12.9 |
Changed in zope2: | |
status: | Confirmed → Fix Committed |
Changed in zope2: | |
status: | Fix Committed → Fix Released |
Could you try to use a different permission, like "zope2. ViewManagementS creens" or "zope2. ManageUsers" ?
I don't see any other mention of "zope2.Private" except in the permissions.zcml file in Five. It doesn't look like it's a valid permission in the AccessControl sense.
In site.zcml we have:
<meta:redefineP ermission from="zope2.Public" to="zope.Public" />
which seems to take care of the public counterpart, but there's no such entry for the private one. It looks to me like the private permission is a decoy.